On 2017-02-24 11:01, Antoine Pitrou wrote:
On Thu, 23 Feb 2017 23:51:45 -0800 Benjamin Peterson email@example.com wrote:
Like all CPython developers, the Python security team are all volunteers. That combined with the fact that dealing with security issues is one of the least fun programming tasks means issues are sometimes dropped.
Perhaps some organization with a stake Python security would like to financially support Python security team members.
As for this, particular issue, we should determine if there's a tracker issue yet and continue discussion there.
Just for the record, I find the mailing-list scheme used by PSRT quite difficult to deal with. For many people it's easy to lose track of e-mails received more than one week ago, so the necessary followup to security issues received by e-mail suffers.
It's a bit sad that regular issues benefit from a full-fledged Roundup instance to allow for easy tracking of open issues (including comments and proposed fixes), but security issues are restricted to such a primitive communication setup which makes it so difficult to get work done.
AFAIK, other projects have full-fledged private bug trackers for their security issues (or access-restricted sections in the main bug tracker, where the software supports it).
Antoine's and Benjamin's reply are the gist of my security talk at the last language summit, https://lwn.net/Articles/691308/ . A dedicated bug tracker or embargoed tickets would help the most. It would also make it much easier to track and measure our response time.
A paid position would also help with the organizational overhead. Personally, I'm good in finding and fixing security issues. The actual communication, reporting and press releases are not my strength.
Victor's incredible work on http://python-security.readthedocs.io/vulnerabilities.html is going to help, too.